Self-Control Agent Resource Utilization

Overview

The F5 Distributed Cloud App Infrastructure Protection (AIP) Agent’s components are as efficient with system resources as possible. If you want to further constrain memory and CPU utilization, then you can configure the Agent to use Self-Control to further conserve resources through systemd.

Note

A systemd configuration file with default values is included in Agents 2.3.0 and later. You can still control Agents older than 2.3.0 with a custom systemd service file.

systemd controls your Agent in the same way it controls other services on your host. You can monitor systemd controls like you can any other services that run on the Agent.

Measure Agent Resource Use

You can measure the Agent’s resource use as the Agent runs to determine whether you need to further constrain memory and CPU utilization.

View tsagentd’s resource use with the following commands:

ps -d | grep tsagentd
top -p -b -n 600

The –n flag determines the length of time, in seconds, to measure the Agent’s resource use. In this example, –n 600 means the scan runs for 600 seconds, or 10 minutes.

Modify systemd to Enforce Agent Resource Utilization

You can create a systemd override file to set various limits to the Service section.

To create the service override file, copy /lib/systemd/system/threatstack.service to /etc/systemd/system/threatstack.service

Example:

[Unit]
Description=Threat Stack Monitoring
After=network.target
Conflicts=auditd.service
StartLimitBurst=5
StartLimitIntervalSec=12
[Service]
Type=forking
PIDFile=/opt/threatstack/run/tsagentd.pid
ExecStart=/opt/threatstack/bin/tsagent start —systemd
ExecStartPost=/opt/threatstack/sbin/status
TimeoutSec=30
Restart=always
RestartSec=2
TimeoutStopSec=2
Environment=GODEBUG=madvdontneed=1
MemoryLimit=500M
CPUQuota=5%
[Install]
WantedBy=multi-user.target

Note

The values in this example are arbitrary and need to be tuned for your own production environment(s).

In the above example:

  • The Agent constrains to use a maximum of 5% of CPU time (CPUQuota=5%).
  • systemd watches tsagentd and terminates it if it exceeds 500MB of memory use (MemoryLimit=500M).
  • The Agent then restarts after the number of seconds set for RestartSec=[number] if Restart=always. If you omit RestartSec, this number defaults to 100 milliseconds.

Important

Set StartLimitIntervalSec at a value that is greater than RestartSec * StartLimitBurst to ensure the limit works properly.

Was this article helpful?
0 out of 0 found this helpful